Despite overwhelming evidence on how encryption can enable better security for health data, its storage and disclosure, the Indian encryption debate is headed in the opposite direction. Arya Tripathy, Partner, PSA Legal and Kazim Rizvi, Founder, The Dialogue believe that if the Government is promoting telemedicine, i.e., sharing of sensitive personal data over digital communication platforms then it must also ensure that the platform is secure. Any backdoor in an encrypted platform can be exploited by foreign governments, non-state actors and savvy criminals which would not only impact user privacy but also endanger national security.
It is only in the 68th year that the Republic of India recognised right to privacy as a fundamental right. In 2017, Supreme Court while adjudging the constitutionality of the Aadhaar Act, 2016 ruled informational privacy as an integral part of an individual’s privacy. It urged the government to put in place a robust data protection regime.
Simply put, “informational privacy” is an individual’s control on how personal data can be collected, accessed, used and disseminated onwards. The degree of control is not absolute. Rather it will depend on variables like sensitivity of data, context of use, potential harm that can ensue from misuse, and state security.
Aside these variables, enabling privacy rights will rest on the state of technology infrastructure deployed by fiduciaries and processors. Thus, one of the key questions that data centric organisations must deep dive into is how secure is their data storage and transmission practices?
Undoubtedly certain kinds of personal data such as health, financial, biometric, sexual orientation, data that reveal religious, political and cultural views demand higher privacy controls and stricter security measures. This is because their abuse could cause serious harm to an individual.
Let us consider the recent Dr Lal PathLabs data leak, which has exposed millions of patient health data, including tests taken, treating doctor, digital signatures, COVID-19 results, names, phone numbers, e-mails and addresses. The breach was triggered as patient data was stored on cloud, without password protection.
Now, let us consider the potential harm that this breach could result in. Leaked data could be maliciously used for identity theft, health insurance frauds, phishing scams and used as gateways for further breach. At a granular level, it can lead to disclosure of private information to public, damage person’s reputation, subject him to social discrimination, cause personal distress, and not to forget, if the data contains employment wellness and drug abuse test results, can affect the patient’s employability and livelihood. Was this breach preventable?
Perhaps, measures such as enabling password protection, limiting access on a need-to-know basis, and maintaining passwords in non-plain text could have reduced the chances of a data leak.
This and many other frequent data leak incidents point to one thing – there is a need for better understanding of privacy enabling tech tools, its uses, and its limitations. Without sound technological data protection tools, organisational and managerial security measures will most likely falter, and where the data set entails sensitive personal data, material harm can be caused to the individual in all walks of life.
In the context of health data which is sensitive personal data, the degree of risk and potential harm are significant. Even before privacy was elevated to the status of fundamental right, the facts of Mr. X. vs. Hospital Y, a 1998 Supreme Court judgment showcased the massive impact that disclosure of health data could create. In this case, the patient was diagnosed HIV+. The doctor disclosed the condition to patient’s fiancé. Consequently, Mr. X’s marriage was called off and he faced social ostracisation.
Fast forward to recent times, the lack of adequate privacy protection features in government’s Arogya Setu app was criticised severely, compelling the government to release data access and sharing protocol subsequently.
Alongside, India has also now begun to embrace telehealth and telemedicine, bringing in new kinds of intermediaries who enable processing of health data, and provision of teleconsultation, counselling, lifestyle and other telehealth services. Thus, it would not be an exaggeration to state that state of art technology tools must be encouraged and promoted for storage and transfer of digital health data.
Personal Data Protection Bill (PDP) emphasises the need for adequate security measures as a key to privacy by design and default. As illustrations, it specifically mentions de-identification and encryption technology, as mentioned in Clause 24 of the PDP Bill.
In a post COVID world, people have and will continue to adopt telemedicine as an add-on to physical diagnosis delivered in hospitals. Earlier this year, the NITI Aayog along with Ministry of Health and Family Welfare released the official telemedicine guidelines for telemedicine practices in the country. Among other suggestions, the Guidelines allow registered medical practitioners to consult and prescribe treatment to patients over private messaging platforms such as WhatsApp. Communication devices are making a strong impact on driving telemedicine which has been quite beneficial to the society at large.
As there operational models grow in the country, securing and protecting user data will be a fundamental requirement for its successful deployment. This is where end-to-end encryption will be a critical component of user privacy and security of data.
There is substantial evidence in other jurisdictions that encryption technology is promoted as a fundamental block for a secure and interoperable health data ecosystem. Encryption brings in access checks, and significantly minimises the risk of data breaches.
Generally speaking, encryption tools render data in plaintext to ciphertext, which can only be accessed, deciphered and used by authorised person using a decryption technology.
In Singapore, the Personal Data Protection Act recommends encryption of physical and mental health data. Yet another illustration can be presented from Hong Kong. A core principle for electronic health record sharing is to ensure that important demographic information is validated, and all health data in databases, files, archives and during transmission is encrypted by using high-security encryption. The Telemedicine Practice Guidelines 2020 also prescribe that it is the duty of the Resident Medical Professional to protect the patient’s privacy and ensure confidentiality of health data during transit on digital platforms.
Despite overwhelming evidence on how encryption can enable better security for health data, its storage and disclosure, the Indian encryption debate is headed in the opposite direction. Since 2007, there is an increasing resistance to export and use of encryption technology in data services.
The key objection stems from the argument that encryption defeats surveillance, and as such encrypted data poses threat to state security interests. There are several telecommunication license requirements, that already restrict the ability to implement high end encryption tools, and the situation seems to move towards a complete ban.
The draft Intermediary Guidelines proposed a traceability requirement which would render an encrypted platform susceptible to cyberattacks and foreign surveillance among other security threats. Should this become the law, health tech intermediaries such as digital platforms, aggregators, cloud service providers, TPAs, who process health data cannot deploy encryption, and this is likely to raise concerns around the overall security, resilience and reliance that can be placed on the ecosystem. It is somehow confusing that sensitive sets of data and an individual’s most private lives can be kept in a vulnerable state, where there are other possible alternatives to safeguard state interests.
Recently, the Five Eyes along with India and Japan in a joint statement asked the tech companies to inculcate traceability in encrypted platforms to prevent social vices like proliferation of Child Sexual Abuse Material. On one hand countries are facing challenges in protecting sensitive information pertaining to COVID-19 vaccination while on the other hand they are asking companies to embed vulnerabilities in digital platforms.
Curiously, this position is in stark contrast to recent recommendations which have recently come from TRAI, which explicitly calls out that the security architecture of encrypted platforms must not be tinkered with; else it will render the users susceptible to cyber vulnerabilities.
If the Government is promoting telemedicine, i.e., sharing of sensitive personal data over digital communication platforms then it must also ensure that the platform is secure. Any backdoor in an encrypted platform can be exploited by foreign governments, non-state actors and savvy criminals which would not only impact user privacy but also endanger national security.
Be it e-commerce or digital banking, encryption technology has been the foundation for user trust and security. Any digital economy space will need to rely on a progressive encryption regime to build trust and ensure security. An indirect ban on encryption seems to be a drastic approach, specifically, for a fledgling health tech sector.
A balancing act is indeed difficult, but not impossible. If the ideal is to ensure that health information privacy is a top priority, it is imperative that the government revisits its stance and promotes encryption.